4 files changed, 12 insertions, 23 deletions

diff --git a/arch/x86/include/asm/fixmap.h b/arch/x86/include/asm/fixmap.h
index a09c28571064..51b9e322cb8f 100644
--- a/arch/x86/include/asm/fixmap.h
+++ b/arch/x86/include/asm/fixmap.h
@@ -104,9 +104,7 @@ enum fixed_addresses {
         FIX_LI_PCIA,    /* Lithium PCI Bridge A */
         FIX_LI_PCIB,    /* Lithium PCI Bridge B */
 #endif
-#ifdef CONFIG_X86_F00F_BUG
-        FIX_F00F_IDT,   /* Virtual mapping for IDT */
-#endif
+        FIX_RO_IDT,     /* Virtual mapping for read-only IDT */
 #ifdef CONFIG_X86_CYCLONE_TIMER
         FIX_CYCLONE_TIMER, /*cyclone timer register*/
 #endif
diff --git a/arch/x86/kernel/cpu/intel.c b/arch/x86/kernel/cpu/intel.c
index 1905ce98bee0..71700247a5d7 100644
--- a/arch/x86/kernel/cpu/intel.c
+++ b/arch/x86/kernel/cpu/intel.c
@@ -164,20 +164,6 @@ int __cpuinit ppro_with_ram_bug(void)
         return 0;
 }
 
-#ifdef CONFIG_X86_F00F_BUG
-static void __cpuinit trap_init_f00f_bug(void)
-{
-        __set_fixmap(FIX_F00F_IDT, __pa_symbol(idt_table), PAGE_KERNEL_RO);
-
-        /*
-         * Update the IDT descriptor and reload the IDT so that
-         * it uses the read-only mapped virtual address.
-         */
-        idt_descr.address = fix_to_virt(FIX_F00F_IDT);
-        load_idt(&idt_descr);
-}
-#endif
-
 static void __cpuinit intel_smp_check(struct cpuinfo_x86 *c)
 {
         /* calling is from identify_secondary_cpu() ? */
@@ -206,8 +192,7 @@ static void __cpuinit intel_workarounds(struct cpuinfo_x86 *c)
         /*
          * All current models of Pentium and Pentium with MMX technology CPUs
          * have the F0 0F bug, which lets nonprivileged users lock up the
-         * system.
-         * Note that the workaround only should be initialized once...
+         * system. Announce that the fault handler will be checking for it.
          */
         c->f00f_bug = 0;
         if (!paravirt_enabled() && c->x86 == 5) {
@@ -215,7 +200,6 @@ static void __cpuinit intel_workarounds(struct cpuinfo_x86 *c)
 
                 c->f00f_bug = 1;
                 if (!f00f_workaround_enabled) {
-                        trap_init_f00f_bug();
                         printk(KERN_NOTICE "Intel Pentium with F0 0F bug - workaround enabled.\n");
                         f00f_workaround_enabled = 1;
                 }
diff --git a/arch/x86/kernel/traps.c b/arch/x86/kernel/traps.c
index 68bda7a84159..10e24462c058 100644
--- a/arch/x86/kernel/traps.c
+++ b/arch/x86/kernel/traps.c
@@ -56,6 +56,7 @@
 #include <asm/fpu-internal.h>
 #include <asm/mce.h>
 #include <asm/context_tracking.h>
+#include <asm/fixmap.h>
 
 #include <asm/mach_traps.h>
 
@@ -753,6 +754,14 @@ void __init trap_init(void)
 #endif
 
         /*
+         * Set the IDT descriptor to a fixed read-only location, so that the
+         * "sidt" instruction will not leak the location of the kernel, and
+         * to defend the IDT against arbitrary memory write vulnerabilities.
+         * It will be reloaded in cpu_init() */
+        __set_fixmap(FIX_RO_IDT, __pa_symbol(idt_table), PAGE_KERNEL_RO);
+        idt_descr.address = fix_to_virt(FIX_RO_IDT);
+
+        /*
          * Should be a barrier for any external CPU state:
          */
         cpu_init();
diff --git a/arch/x86/xen/mmu.c b/arch/x86/xen/mmu.c
index 6afbb2ca9a0a..8bc4decb14ca 100644
--- a/arch/x86/xen/mmu.c
+++ b/arch/x86/xen/mmu.c
@@ -2039,9 +2039,7 @@ static void xen_set_fixmap(unsigned idx, phys_addr_t phys, pgprot_t prot)
 
         switch (idx) {
         case FIX_BTMAP_END ... FIX_BTMAP_BEGIN:
-#ifdef CONFIG_X86_F00F_BUG
-        case FIX_F00F_IDT:
-#endif
+        case FIX_RO_IDT:
 #ifdef CONFIG_X86_32
         case FIX_WP_TEST:
         case FIX_VDSO: